Discord has introduced DAVE, its new end-to-end encryption (E2EE) protocol for audio and video communications, aimed at enhancing user privacy across voice calls, group DMs, and Go Live streams. This major security upgrade marks a significant step in Discord's ongoing efforts to protect the 200 million monthly users on its platform.
Announced by one of the platform’s engineers, Stephen Birarda, DAVE is a new system designed to ensure the contents of voice and video calls are encrypted and inaccessible to anyone outside the call, including Discord itself. The system was developed after extensive testing and collaboration with the cybersecurity firm Trail of Bits, which performed a comprehensive review of the protocol's design and implementation. It is important to note however that messages users exchange on Discord will not be encrypted with E2EE, as DAVE is specifically focused on securing real-time media.
The new protocol will be gradually rolled out across Discord's various communication platforms. Users will be able to verify if their calls are encrypted, ensuring transparency. Additionally, Discord has made the protocol's details open-source by releasing a whitepaper and relevant libraries, inviting further scrutiny and feedback from the developer community.
Discord said its motivation for implementing DAVE is grounded in five key goals: providing truly private conversations, creating an open and auditable protocol, offering broad platform support, ensuring seamless user experience, and maintaining scalability for large group calls. The company emphasized that while DAVE will enhance privacy, it is designed not to interfere with the platform's user-friendly experience.
Technical highlights of DAVE
The core of DAVE revolves around WebRTC’s Encoded Transform API, enabling encryption at the media frame level, and the use of Messaging Layer Security (MLS) for group key exchanges. The protocol ensures that encryption keys are unique to each session and change dynamically as participants join or leave calls. MLS allows DAVE to scale effectively, ensuring that even large group calls can benefit from end-to-end encryption without performance sacrifices.
Additionally, DAVE incorporates features like identity key pairs and out-of-band user verifications, allowing call participants to verify one another’s identities. Users can opt for persistent key pairs across multiple devices for a more seamless verification process, or they can maintain ephemeral keys for greater privacy. Discord also introduced the concept of “epoch authenticators,” which are strings of numbers used to confirm that all participants share the same encryption state during a call.
Impact on Discord’s userbase
Discord has become a popular platform for communities built around gaming, hobbies, and other shared interests, and securing voice and video calls with E2EE further reinforces the platform's commitment to user privacy. With this change, users can confidently engage in private conversations, knowing their communications are secured from outside access, including potential attacks on the server infrastructure.
This update also positions Discord among the leaders in real-time communication security, and the ability to verify encryption through visual codes provides users with tangible confirmation of their privacy. However, the lack of E2EE in direct messages on chats is still significant, and we hope that it’s on Discord’s future plans to introduce it.
Leave a Reply